Zero Day MonitorZDM

← Back to list

—

CVE-2026-1502PATCHED

python software foundation · cpython

HTTP client proxy tunnel headers not validated for CR/LF

Description

A vulnerability marked as problematic has been reported in Python CPython up to 3.14.x. The impacted element is an unknown function of the component HTTP Client Proxy Tunnel Handler. Performing a manipulation results in crlf injection. This vulnerability was named CVE-2026-1502. The attack may be initiated remotely.

Affected Products

Vendor	Product	Versions
python software foundation	cpython	0, 3.14.x

References

https://github.com/python/cpython/pull/146212(patch)
https://github.com/python/cpython/issues/146211(issue-tracking)
https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/(vendor-advisory)
https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69(patch)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-1502 | Python CPython up to 3.14.x HTTP Client Proxy Tunnel crlf injection (ID 146211)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.15.0

CWECWE-20

PublishedApr 10, 2026

Last enriched4h agov2

Trending Score27

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34591EXP

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

NONECVE-2026-3446

Base64 decoding stops at first padded quad by default

NONECVE-2026-4519EXP

webbrowser.open() allows leading dashes in URLs

NONECVE-2025-13462

tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling

NONECVE-2026-3644

Incomplete control character validation in http.cookies

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Patch Available

Apr 10, 2026

Updated: description, affectedVersions, severity, cweIds

Apr 10, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated description with technical details, changed severity to HIGH, and added affected version 3.14.x.

descriptionaffectedVersionsseveritycweIds

via VulDB

v14h ago

Initial creation